[JBoss JIRA] (WFLY-8077) datasource subsystem - credential-reference doesn't work
by Stefano Maestri (JIRA)
[ https://issues.jboss.org/browse/WFLY-8077?page=com.atlassian.jira.plugin.... ]
Stefano Maestri moved JBEAP-8777 to WFLY-8077:
----------------------------------------------
Project: WildFly (was: JBoss Enterprise Application Platform)
Key: WFLY-8077 (was: JBEAP-8777)
Workflow: GIT Pull Request workflow (was: CDW with loose statuses v1)
Component/s: JCA
Security
(was: JCA)
(was: Security)
Affects Version/s: (was: 7.1.0.DR11)
> datasource subsystem - credential-reference doesn't work
> --------------------------------------------------------
>
> Key: WFLY-8077
> URL: https://issues.jboss.org/browse/WFLY-8077
> Project: WildFly
> Issue Type: Bug
> Components: JCA, Security
> Reporter: Stefano Maestri
> Assignee: Stefano Maestri
> Priority: Blocker
>
> There are more issues:
> # credential reference is always (not)resolved to _undefined_. It works with ExampleDS and H2 because it accepts any password.
> I tried to fix it in [f512ce274c8837f642e0a7a949018acdfd2a017e|https://github.com/simkam/wildfl...]
> # when #1 is fixed, {{<credential-reference clear-text="pass" />}} works, but {{<credential-reference store="store" alias="alias" />}} doesn't.
> {noformat}
> 18:00:07,970 ERROR [org.jboss.as.controller.management-operation] (management-handler-thread - 2) WFLYCTL0013: Operation ("add") failed - address: ([
> ("subsystem" => "datasources"),
> ("data-source" => "StoreAliasCredentialReferenceDatasource")
> ]): java.lang.IllegalArgumentException: value is null
> at org.jboss.dmr.ModelNode.<init>(ModelNode.java:167)
> at org.jboss.as.controller.OperationFailedException.<init>(OperationFailedException.java:59)
> at org.jboss.as.controller.OperationFailedException.<init>(OperationFailedException.java:98)
> at org.jboss.as.connector.subsystems.datasources.DataSourceModelNodeUtil.from(DataSourceModelNodeUtil.java:192)
> at org.jboss.as.connector.subsystems.datasources.AbstractDataSourceAdd.secondRuntimeStep(AbstractDataSourceAdd.java:328)
> at org.jboss.as.connector.subsystems.datasources.AbstractDataSourceAdd$1.execute(AbstractDataSourceAdd.java:137)
> at org.jboss.as.controller.AbstractOperationContext.executeStep(AbstractOperationContext.java:921)
> at org.jboss.as.controller.AbstractOperationContext.processStages(AbstractOperationContext.java:664)
> at org.jboss.as.controller.AbstractOperationContext.executeOperation(AbstractOperationContext.java:383)
> at org.jboss.as.controller.OperationContextImpl.executeOperation(OperationContextImpl.java:1390)
> at org.jboss.as.controller.ModelControllerImpl.internalExecute(ModelControllerImpl.java:419)
> at org.jboss.as.controller.ModelControllerImpl.lambda$execute$1(ModelControllerImpl.java:240)
> at org.wildfly.security.auth.server.SecurityIdentity.runAs(SecurityIdentity.java:193)
> at org.jboss.as.controller.ModelControllerImpl.execute(ModelControllerImpl.java:240)
> at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler.doExecute(ModelControllerClientOperationHandler.java:217)
> at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler.access$400(ModelControllerClientOperationHandler.java:137)
> at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler$1$1.run(ModelControllerClientOperationHandler.java:161)
> at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler$1$1.run(ModelControllerClientOperationHandler.java:157)
> at org.wildfly.security.auth.server.SecurityIdentity.runAs(SecurityIdentity.java:212)
> at org.jboss.as.controller.AccessAuditContext.doAs(AccessAuditContext.java:254)
> at org.jboss.as.controller.AccessAuditContext.doAs(AccessAuditContext.java:225)
> at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler$1.execute(ModelControllerClientOperationHandler.java:157)
> at org.jboss.as.protocol.mgmt.ManagementRequestContextImpl$1.doExecute(ManagementRequestContextImpl.java:70)
> at org.jboss.as.protocol.mgmt.ManagementRequestContextImpl$AsyncTaskRunner.run(ManagementRequestContextImpl.java:160)
> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> at java.lang.Thread.run(Thread.java:745)
> at org.jboss.threads.JBossThread.run(JBossThread.java:320)
> {noformat}
> https://github.com/simkam/wildfly/commits/credential-reference contains tests and fix for #1
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 2 months
[JBoss JIRA] (WFLY-8076) datasources and resource-adapter subsystems: credential-reference and password should be mutually exclusive
by Stefano Maestri (JIRA)
[ https://issues.jboss.org/browse/WFLY-8076?page=com.atlassian.jira.plugin.... ]
Stefano Maestri moved JBEAP-8776 to WFLY-8076:
----------------------------------------------
Project: WildFly (was: JBoss Enterprise Application Platform)
Key: WFLY-8076 (was: JBEAP-8776)
Workflow: GIT Pull Request workflow (was: CDW with loose statuses v1)
Component/s: JCA
Security
(was: JCA)
(was: Security)
Affects Version/s: (was: 7.1.0.DR11)
> datasources and resource-adapter subsystems: credential-reference and password should be mutually exclusive
> -----------------------------------------------------------------------------------------------------------
>
> Key: WFLY-8076
> URL: https://issues.jboss.org/browse/WFLY-8076
> Project: WildFly
> Issue Type: Bug
> Components: JCA, Security
> Reporter: Stefano Maestri
> Assignee: Stefano Maestri
>
> credential-reference and password should be mutually exclusive, they should have alternatives set
> {noformat}
> "password" => {
> "type" => STRING,
> "description" => "Specifies the password used when creating a new connection",
> "expressions-allowed" => true,
> "required" => false,
> "nillable" => true,
> "requires" => ["user-name"],
> "min-length" => 1L,
> "max-length" => 2147483647L,
> "access-constraints" => {"sensitive" => {
> "credential" => {"type" => "core"},
> "data-source-security" => {"type" => "datasources"}
> }},
> "access-type" => "read-write",
> "storage" => "configuration",
> "restart-required" => "no-services"
> },
> "credential-reference" => {
> "type" => OBJECT,
> "description" => "Credential (from Credential Store) to authenticate on data source",
> "expressions-allowed" => false,
> "required" => false,
> "nillable" => true,
> "capability-reference" => "org.wildfly.security.credential-store",
> "access-constraints" => {"sensitive" => {
> "credential" => {"type" => "core"},
> "data-source-security" => {"type" => "datasources"}
> }},
> "value-type" => {
> "store" => {
> "type" => STRING,
> "description" => "The name of the credential store holding the alias to credential",
> "expressions-allowed" => false,
> "required" => false,
> "nillable" => true,
> "min-length" => 1L,
> "max-length" => 2147483647L
> },
> "alias" => {
> "type" => STRING,
> "description" => "The alias which denotes stored secret or credential in the store",
> "expressions-allowed" => false,
> "required" => false,
> "nillable" => true,
> "min-length" => 1L,
> "max-length" => 2147483647L
> },
> "type" => {
> "type" => STRING,
> "description" => "The type of credential this reference is denoting",
> "expressions-allowed" => false,
> "required" => false,
> "nillable" => true,
> "min-length" => 1L,
> "max-length" => 2147483647L
> },
> "clear-text" => {
> "type" => STRING,
> "description" => "Secret specified using clear text (check credential store way of supplying credential/secrets to services)",
> "expressions-allowed" => false,
> "required" => false,
> "nillable" => true,
> "min-length" => 1L,
> "max-length" => 2147483647L
> }
> },
> "access-type" => "read-write",
> "storage" => "configuration",
> "restart-required" => "all-services"
> }
> {noformat}
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 2 months
[JBoss JIRA] (ELY-941) Allow provider name to be null in SSLContextBuilder
by Darran Lofthouse (JIRA)
Darran Lofthouse created ELY-941:
------------------------------------
Summary: Allow provider name to be null in SSLContextBuilder
Key: ELY-941
URL: https://issues.jboss.org/browse/ELY-941
Project: WildFly Elytron
Issue Type: Task
Components: SSL
Reporter: Darran Lofthouse
Assignee: Darran Lofthouse
Fix For: 1.1.0.Beta24
The utility searching for the provider takes 'null' to mean any provider allowed so a 'null' value should be allowed.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 2 months
[JBoss JIRA] (WFCORE-2254) InterdependentDeploymentTestCase fails with security manager
by Ingo Weiss (JIRA)
[ https://issues.jboss.org/browse/WFCORE-2254?page=com.atlassian.jira.plugi... ]
Ingo Weiss reassigned WFCORE-2254:
----------------------------------
Assignee: Ingo Weiss
> InterdependentDeploymentTestCase fails with security manager
> ------------------------------------------------------------
>
> Key: WFCORE-2254
> URL: https://issues.jboss.org/browse/WFCORE-2254
> Project: WildFly Core
> Issue Type: Bug
> Components: Test Suite
> Reporter: Jan Tymel
> Assignee: Ingo Weiss
>
> *org.jboss.as.test.manualmode.deployment.InterdependentDeploymentTestCase#test*
> {{cd testsuite/manualmode/}}
> {{mvn test -DtestLogToFile=false -Dtest=InterdependentDeploymentTestCase -Dsecurity.manager}}
> {code}
> ERROR [org.jboss.msc.service.fail] (MSC service thread 1-4) MSC000001: Failed to start service ServiceActivatorDeployment.c: org.jboss.msc.service.StartException in service ServiceActivatorDeployment.c: Failed to start service
> at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1978)
> at org.jboss.msc.service.MSCExecutor$1.run(MSCExecutor.java:77)
> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> at java.lang.Thread.run(Thread.java:745)
> Caused by: java.security.AccessControlException: WFSM000001: Permission check failed (permission "("java.util.PropertyPermission" "interrelated-c.jar" "write")" in code source "(vfs:/content/interrelated-a.jar <no signer certificates>)" of "ModuleClassLoader for Module "deployment.interrelated-a.jar" from Service Module Loader")
> at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:278)
> at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:175)
> at java.lang.System.setProperty(System.java:792)
> at org.jboss.as.test.deployment.trivial.ServiceActivatorDeployment.start(ServiceActivatorDeployment.java:91)
> at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:2032)
> at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1955)
> ... 4 more
> {code}
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 2 months
[JBoss JIRA] (ELY-751) Coverity static analysis: Explicit null dereferenced in LdapKeyStore (Elytron)
by Ilia Vassilev (JIRA)
[ https://issues.jboss.org/browse/ELY-751?page=com.atlassian.jira.plugin.sy... ]
Ilia Vassilev updated ELY-751:
------------------------------
Fix Version/s: (was: 1.1.0.Beta17)
> Coverity static analysis: Explicit null dereferenced in LdapKeyStore (Elytron)
> ------------------------------------------------------------------------------
>
> Key: ELY-751
> URL: https://issues.jboss.org/browse/ELY-751
> Project: WildFly Elytron
> Issue Type: Bug
> Reporter: Josef Cacek
> Assignee: Ilia Vassilev
> Priority: Critical
> Labels: static_analysis
>
> Coverity static-analysis scan found possible use of null object in {{LdapKeyStore}} constructor.
> https://scan7.coverity.com/reports.htm#v16159/p11778/fileInstanceId=57601...
> The {{LdapKeyStore.Builder.build()}} method constructs the {{LdapKeyStore}} instance this way:
> {code}
> return new LdapKeyStore(spi, null, null);
> {code}
> and the constructor just calls parent ctor:
> {code}
> protected LdapKeyStore(KeyStoreSpi keyStoreSpi, Provider provider, String type) {
> super(keyStoreSpi, provider, type);
> }
> {code}
> And it fails with NPE if debug for {{KeyStore}} is enabled as the constructor contains:
> {code}
> if (!skipDebug && pdebug != null) {
> pdebug.println("KeyStore." + type.toUpperCase() + " type from: " +
> this.provider.getName());
> }
> {code}
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 2 months
[JBoss JIRA] (ELY-751) Coverity static analysis: Explicit null dereferenced in LdapKeyStore (Elytron)
by Ilia Vassilev (JIRA)
[ https://issues.jboss.org/browse/ELY-751?page=com.atlassian.jira.plugin.sy... ]
Ilia Vassilev reopened ELY-751:
-------------------------------
JBEAP-7246 (reopen):
Please replace type "LdapRealm" -> "LdapKeyStore".
LdapKeyStore is not key store of type LdapRealm.
> Coverity static analysis: Explicit null dereferenced in LdapKeyStore (Elytron)
> ------------------------------------------------------------------------------
>
> Key: ELY-751
> URL: https://issues.jboss.org/browse/ELY-751
> Project: WildFly Elytron
> Issue Type: Bug
> Reporter: Josef Cacek
> Assignee: Ilia Vassilev
> Priority: Critical
> Labels: static_analysis
> Fix For: 1.1.0.Beta17
>
>
> Coverity static-analysis scan found possible use of null object in {{LdapKeyStore}} constructor.
> https://scan7.coverity.com/reports.htm#v16159/p11778/fileInstanceId=57601...
> The {{LdapKeyStore.Builder.build()}} method constructs the {{LdapKeyStore}} instance this way:
> {code}
> return new LdapKeyStore(spi, null, null);
> {code}
> and the constructor just calls parent ctor:
> {code}
> protected LdapKeyStore(KeyStoreSpi keyStoreSpi, Provider provider, String type) {
> super(keyStoreSpi, provider, type);
> }
> {code}
> And it fails with NPE if debug for {{KeyStore}} is enabled as the constructor contains:
> {code}
> if (!skipDebug && pdebug != null) {
> pdebug.println("KeyStore." + type.toUpperCase() + " type from: " +
> this.provider.getName());
> }
> {code}
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 2 months
[JBoss JIRA] (WFLY-6357) WARN ISPN000112: exception while committing: javax.transaction.xa.XAException due to replication timeout
by Paul Ferraro (JIRA)
[ https://issues.jboss.org/browse/WFLY-6357?page=com.atlassian.jira.plugin.... ]
Paul Ferraro updated WFLY-6357:
-------------------------------
Priority: Critical (was: Major)
> WARN ISPN000112: exception while committing: javax.transaction.xa.XAException due to replication timeout
> --------------------------------------------------------------------------------------------------------
>
> Key: WFLY-6357
> URL: https://issues.jboss.org/browse/WFLY-6357
> Project: WildFly
> Issue Type: Bug
> Components: Clustering
> Affects Versions: 10.0.0.Final
> Reporter: Michal Vinkler
> Assignee: Paul Ferraro
> Priority: Critical
>
> This is a separate issue originally logged as part of JBEAP-794 (#4 in this [comment|https://issues.jboss.org/browse/JBEAP-794?focusedCommentId=131706...]).
> Seen in ejb-remote, ejb-ejbservlet and http-session scenarios with *REPL* cache and *SYNC* replication.
> TimeoutException occured after perf18 (or any other node) rejoined a cluster (after graceful shutdown, jvmkill or undeploy - it doesn't matter), but it does not seem to affect client:
> {code}
> [JBossINF] [0m[33m03:23:38,462 WARN [org.infinispan.transaction.tm.DummyTransaction] (default task-24) ISPN000112: exception while committing: javax.transaction.xa.XAException
> [JBossINF] at org.infinispan.transaction.impl.TransactionCoordinator.handleCommitFailure(TransactionCoordinator.java:213)
> [JBossINF] at org.infinispan.transaction.impl.TransactionCoordinator.commit(TransactionCoordinator.java:159)
> [JBossINF] at org.infinispan.transaction.xa.TransactionXaAdapter.commit(TransactionXaAdapter.java:114)
> [JBossINF] at org.infinispan.transaction.tm.DummyTransaction.finishResource(DummyTransaction.java:401)
> [JBossINF] at org.infinispan.transaction.tm.DummyTransaction.commitResources(DummyTransaction.java:448)
> [JBossINF] at org.infinispan.transaction.tm.DummyTransaction.runCommit(DummyTransaction.java:321)
> [JBossINF] at org.infinispan.transaction.tm.DummyTransaction.commit(DummyTransaction.java:108)
> [JBossINF] at org.wildfly.clustering.ee.infinispan.InfinispanBatch.close(InfinispanBatch.java:71)
> [JBossINF] at org.wildfly.clustering.web.undertow.session.DistributableSession.requestDone(DistributableSession.java:76)
> [JBossINF] at io.undertow.servlet.spec.ServletContextImpl.updateSessionAccessTime(ServletContextImpl.java:768)
> [JBossINF] at io.undertow.servlet.spec.HttpServletResponseImpl.responseDone(HttpServletResponseImpl.java:563)
> [JBossINF] at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:331)
> [JBossINF] at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
> [JBossINF] at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
> [JBossINF] at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
> [JBossINF] at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
> [JBossINF] at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
> [JBossINF] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
> [JBossINF] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> [JBossINF] at java.lang.Thread.run(Thread.java:745)
> [JBossINF] Caused by: org.infinispan.util.concurrent.TimeoutException: Replication timeout for perf19
> [JBossINF] at org.infinispan.remoting.transport.jgroups.JGroupsTransport.checkRsp(JGroupsTransport.java:765)
> [JBossINF] at org.infinispan.remoting.transport.jgroups.JGroupsTransport.lambda$invokeRemotelyAsync$175(JGroupsTransport.java:612)
> [JBossINF] at java.util.concurrent.CompletableFuture.uniApply(CompletableFuture.java:602)
> [JBossINF] at java.util.concurrent.CompletableFuture$UniApply.tryFire(CompletableFuture.java:577)
> [JBossINF] at java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:474)
> [JBossINF] at java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:1962)
> [JBossINF] at org.infinispan.remoting.transport.jgroups.RspListFuture.call(RspListFuture.java:47)
> [JBossINF] at org.infinispan.remoting.transport.jgroups.RspListFuture.call(RspListFuture.java:16)
> [JBossINF] at java.util.concurrent.FutureTask.run(FutureTask.java:266)
> [JBossINF] at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180)
> [JBossINF] at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293)
> [JBossINF] ... 3 more
> {code}
> Also, JBEAP-3779 an JBEAP-3780 (and partially also JBEAP-3782) accompany this issue, see [occurrences report|http://download.eng.brq.redhat.com/scratch/mvinkler/reports/occurr...]
> Server link:
> http://jenkins.mw.lab.eng.bos.redhat.com/hudson/job/eap-7x-failover-http-...
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 2 months
[JBoss JIRA] (WFLY-8075) datasources subsystem should not depend on legacy security subsystem
by Stefano Maestri (JIRA)
[ https://issues.jboss.org/browse/WFLY-8075?page=com.atlassian.jira.plugin.... ]
Stefano Maestri moved JBEAP-8774 to WFLY-8075:
----------------------------------------------
Project: WildFly (was: JBoss Enterprise Application Platform)
Key: WFLY-8075 (was: JBEAP-8774)
Workflow: GIT Pull Request workflow (was: CDW with loose statuses v1)
Component/s: JCA
(was: JCA)
Affects Version/s: (was: 7.1.0.DR11)
> datasources subsystem should not depend on legacy security subsystem
> --------------------------------------------------------------------
>
> Key: WFLY-8075
> URL: https://issues.jboss.org/browse/WFLY-8075
> Project: WildFly
> Issue Type: Bug
> Components: JCA
> Reporter: Stefano Maestri
> Assignee: Stefano Maestri
> Priority: Critical
>
> After removing the legacy {{security}} subsystem and booting the server, you see
> {noformat}
> 11:31:07,203 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([
> ("subsystem" => "datasources"),
> ("data-source" => "ExampleDS")
> ]) - failure description: {
> "WFLYCTL0412: Required services that are not installed:" => [
> "jboss.security.subject-factory",
> "jboss.security.simple-security-manager"
> ],
> "WFLYCTL0180: Services with missing/unavailable dependencies" => ["org.wildfly.data-source.ExampleDS is missing [jboss.security.simple-security-manager, jboss.security.subject-factory]"]
> }
> 11:31:07,207 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([
> ("subsystem" => "datasources"),
> ("data-source" => "ExampleDS")
> ]) - failure description: {
> "WFLYCTL0412: Required services that are not installed:" => [
> "jboss.security.subject-factory",
> "jboss.security.simple-security-manager",
> "jboss.security.subject-factory",
> "jboss.security.simple-security-manager"
> ],
> "WFLYCTL0180: Services with missing/unavailable dependencies" => [
> "org.wildfly.data-source.ExampleDS is missing [jboss.security.simple-security-manager, jboss.security.subject-factory]",
> "org.wildfly.data-source.ExampleDS is missing [jboss.security.simple-security-manager, jboss.security.subject-factory]"
> ]
> }
> {noformat}
> Which means that datasources subsystem requires functionality of the legacy security subsystem. It should be possible to completely get rid of the legacy subsystem and work with just Elytron.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 2 months